Security Response

SecurEnvoy is a trusted provider of Identity Management. Across five continents, their customers benefit from rapid deployments that scale through instant provisioning, simplicity of use and ease of management.

SecurEnvoy’s mission is to provide the best identity protection and intelligence solution in the security industry and we encourage and appreciate positive interactions with security researchers to ensure that our solutions maintain security standards. 

Please contact security@securenvoy.com and we will treat all reports with utmost importance while we evaluate the impact it could have for our customers.

During this process, SecurEnvoy will communicate as promptly as we’re able, until completion of our investigation and any necessary remediation. We thank you for your time & expertise to improve the security of our company and customers.

 

Our Testing Process

SecurEnvoy does not operate a bug bounty program at this time, but may choose to reward reporters of issues in some cases, at our discretion.

Each of our releases undergoes a rigorous testing environment to ensure we exceed the security expectations of our clients and customers. This testing includes a Penetration Test to provide our clients assurance over risks in this latest release. Our test consultants hold numerous CREST certifications, including CREST Certified Tester, CREST Registered Tester and CREST Certified Simulated Attack Manager, amongst other industry recognised certifications.

 

Responsible Disclosure

Notifying SecurEnvoy prior to releasing information publicly about a vulnerability is standard practice in the security industry and is known as “responsible disclosure.” This advance notice allows SecurEnvoy to research, fix and disclose known vulnerabilities to its customers in a manner that protects SecurEnvoy end-users before computer criminals are notified of their existence – keeping the Internet safer for business.

We appreciate your assistance in ensuring that SecurEnvoy products and services are secure.

 

Rules of Engagement

To ensure a great experience with SecurEnvoy, we ask that researchers follow these simple rules of engagement to limit the potential that company and/or customer data may be at risk:

 

  • You do not interact with any individual account (which includes modifying, deleting, sharing, copying or accessing data from the account) if the account owner has not consented to such actions.
  • You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services during your testing processes.
  • Do not use your findings to phish, spam, social engineer, or otherwise defraud any customers or SecurEnvoy employees during the course of testing to gain more of an escalated access.
  • Do not perform denial of services (DoS) or distributed denial of service (DDoS) attacks against any SecurEnvoy resource/service to prove an impact for a suspected security issue.
  • If you are ever unclear on how far your testing should go, please reach out to the security@securenvoy.com to coordinate testing with us. We can often validate your suspicions in simple ways that can reduce the chance of harm occurring to our services & customers.

 

Reporting Security Vulnerabilities

For an Online Service Security Issue…

  • The date & time when you initially discovered the issue
  • The URL(s) where you found the security issue to be applicable
  • All relevant headers & parameters used to demonstrate the risk against the service
  • Your operating system and browser, with version number, used for all testing
  • In addition, list any third-party tools or custom scripts that were utilised at time of testing

 

For a Packaged Software Security Issue…

  • The name of the SecurEnvoy software you were testing & version number
  • The operating system, platform, or other relevant environment details
  • As relevant, the configuration file for the software with any secrets redacted

 

For ALL Security Issues, Please Also Include…

  • A description of the type of issue (e.g. Remote Code Execution, Cross-Site Scripting)
  • Your perspective of the impact, criticality of the finding, and any abuse cases
  • Sample code (i.e. proof-of-concept) and/or tool used to generate an exploit payload
  • The best contact information for the finder of the issue (e.g. email, phone)
  • Any pre-planned disclosure timeline if you are planning to publish the findings
  • Any information you may have accidentally accessed during testing without permission

 

Our Response

SecurEnvoy will acknowledge receipt of a report within 48 hours and ask that you give us reasonable time to investigate and mitigate an issue before making public any information about the report or sharing such information with others.

It is possible that SecurEnvoy will need to follow-up with additional questions to ensure we understand the report and impact clearly.

Once a reported issue has been validated and remediated, SecurEnvoy will provide a public announcement to its customers and publish through the website/blogs and update relevant release notes.